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Abstract —We introduce a new measure on secrecy, which 
is established based on rate-distortion theory. It is named 
security rate, which is the minimum (infimum) of the additional 
rate needed to reconstruct the source within target distortion 
level with any positive probability for wiretapper. It denotes 
the minimum distance in information metric (bits) from what 
wiretapper has received to any decrypted reconstruction (where 
decryption is defined as reconstruction within target distor¬ 
tion level with some positive possibility). By source coding 
theorem, it is equivalent to a distortion-based equivocation 
min -7(5"; U"|M) which can be seen as a 

direct extension of equivocation ^77 (5"|M) to lossy decryption 
case, given distortion level De and the received (encrypted) 
message M of wiretapper. In this paper, we study it in Shannon 
cipher system with lossless communication, where a source is 
transmitted from sender to legitimate receiver secretly and loss- 
lessly, and also eavesdropped by a wiretapper. We characterize 
the admissible region of secret key rate, coding rate of the 
source, wiretapper distortion, and security rate (distortion-based 
equivocation). Since the security rate equals the distortion-based 
equivocation, and the equivocation is a special case of the 
distortion-based equivocation (with Hamming distortion measure 
and De ~ 0), this gives an answer for the meaning of the 
maximum equivocation. 

I. Introduction 

The Shannon cipher system depicted in Fig. 1 is first inves¬ 
tigated in [1], where sender A communicates with legitimate 
receiver B secretly by exploiting a secret key that is shared by 
them. In [1], Shannon regarded this system as perfectly secret 
if the source and the eavesdropped message are statistically 
independent. For lossless communication case, a necessary and 
sufficient condition for perfect secrecy is that the number of 
secret key bits per source symbol exceeds the entropy of the 
source. When the amount of key is insufficient, it must relax 
the requirement of statistical independence and introduce new 
measures of secrecy. 

One common way of measuring sub-perfect secrecy is 
with equivocation, the conditional entropy ^77 (5'"|M) of the 
source given the public message. The use of equivocation as a 
measure of secrecy was considered in the original work on the 
wiretap channel in [2] and [3], and it continues today. From 
lossy source coding theorem, the equivocation indeed indicates 
the minimum additional rate for wiretapper to reconstruct the 
source losslessly on the basis of the received message M, 
when the coding scheme adopted by A and B is stationary. 

For lossy decryption, a distortion-based measure has been 
proposed by Yamamoto in [4], which is to measure secrecy 


by the distortion that an wiretapper incurs in attempting to 
reconstruct the source sequence. However, Schieler et al [5] 
show that this measure is cheap, since negligible rates of secret 
key can force minimum distortion achieved by wiretapper 
to the one reconstructed without any information about the 
source; meanwhile it is also fragile, since wiretapper can 
reconstruct the transmitted message completely if it has a 
little knowledge of the source. To strengthen measure of 
secrecy, another distortion-based approach [6], [7] is to design 
schemes around the assumption that the wiretapper has ability 
to conduct list decoding with fixed list size. The induced 
distortion is the minimum distortion over the entire list. 
This exponent of list size Re is an important indicator to 
secrecy performance. From aspect of uncertainty. Re indeed 
indicates the minimum additional rate needed to reconstruct 
the source within target distortion level with “zero-delay” 
decryption constraint, where “zero-delay” follows from that 
only single-block codes are allowed for wiretapper, i.e., the 
blocklength adopted by wiretapper is restricted to be the same 
to that adopted by A and B (in fact, without delay constraint, 
the wiretapper would collect multiple blocks to produce a 
supperblock reconstruction, which is called superblock cod¬ 
ing). This quantity is somewhat similar to equivocation (i.e., 
-77 (5'"|M)), which is also to measure the uncertainty of 
the wiretapper. However the equivocation is the minimum 
additional rate to decrypt for henchman and wiretapper, when 
wiretapper could apply arbitrary length supercode; while for 
Re, only single-block codes are allowed for wiretapper. In 
addition, from aspect of complexity. Re indicates the exponent 
of admissible maximum complexity (exponent of admissible 
maximum list size over all blocks) needed to reconstruct the 
source within target distortion level. 

In this paper, we study the Henchman problem with su¬ 
perblock coding, and define security rate as the minimum (in¬ 
fimum) of the additional rate needed to reconstruct the source 
within target distortion level with any positive probability 
for wiretapper. We aim at characterizing the optimal tradeoff 
among secret key rate, coding rate of the source, wiretapper 
distortion De, and security rate. An important difference from 
[6] is that we do not constrain the blocklength adopted by 
the Henchman and wiretapper; while in [6], the blocklength 
adopted by the Henchman and wiretapper is restricted to be 
the same to that adopted by A and B. It is worth noting that the 
proof in [6] relies on a likelihood encoder by using the soft 
covering lemma [8], which is invalid to solve our problem. 



Figure 1: The Shannon cipher system. 



Figure 2: The henchman problem with superblock coding. A 
henchman who has access to the I blocks of source sequence, 

and the I blocks of public message, M\ codes them with 
rate Rfj to help wiretapper to produce a reconstruction. The 
wiretapper reconstructs a sequence based on the public 
message M* and the information Mh from the henchman. 
Here = {Mi, M2, ■ ■ ■ ,Mi) denotes a sequence of the 
messages M. 

This is because if consider the superblock case and let Z —> cxd 
before let n —>■ 00 , then the soft covering lemma does 
not hold, where I denotes the number of subblocks in each 
supperblock, and n denotes the number of symbols in each 
subblock (which is also the blocklength of the code adopted 
by A and B). Actually, we find a more general approach 
to solve our problem which relies on jointly typical coding. 
Moreover, our approach is available to prove the results of 
[ 6 ]. In addition, we also define distortion-based equivocation 
as min -I {S'^;V^\M), which can be 

seen as an extension of equivocation -H (5'"|M) to lossy 
decryption case. By source coding theorem, in our problem 
the security rate is exactly equal to the distortion-based 
equivocation. Hence utilizing the result on security rate, we 
can easily characterize the admissible region of secret key 
rate, coding rate of the source, wiretapper distortion De 
and distortion-based equivocation by replacing security rate 
with distortion-based equivocation. It means that maximizing 
equivocation is indeed equivalent to maximizing security rate 
of lossless decryption. We also extend our results on lossless 
communication case to lossy communication case. 

H. Problem Formulation and Preliminaries 

Consider the secrecy communication system shown in Fig. 
1. The sender A observes a source sequence S'^ that is i.i.d. 
according to a distribution P 5 . Sender A and legitimate 
receiver B share a secret key K that is uniformly distributed 
in [ 2 ”^^] ' and independent of S'". Sender A encodes the 

*In this paper, the set 1, ...,m is sometimes denoted by [m]. 


source using the secret key and then sends the coded message 
M to legitimate receiver B over a noiseless channel at rate R, 
which is also wiretapped by a wiretapper Eve. To make our 
problem more clear, we introduce the Henchman problem with 
supperblock coding shown in Fig. 2 (the single block coding 
version is investigated in [ 6 ]). 

Henchman problem with supperblock coding 

Definition 1. The encoder and decoder of a (n, R, Rk ) block 
code are defined by the following two mappings: 

Encoder f : x [2"^^] ^ [2"-«] 

Decoder g : [2"'«] x [2"-«^] ^ S" ^ ^ 

The wiretapper Eve overhears the encrypted message M 
perfectly. A and B want to communicate within certain distor¬ 
tion level by using the secret key and the noiseless channel, 
while ensuring that the wiretapper suffers distortion above 
a certain threshold with high probability. We say a source 
sequence s" is decrypted by wiretapper if and only if the 
wiretapper produces a reconstruction of s", z”, such that 

d{s'^,z'^)<DE (2) 

When De is small enough, and A and B adopt an appropriate 
coding scheme, then the wiretapper cannot decrypt the source 
only by M. Hence, we can measure security by the minimum 
additional bit rate needed for wiretapper to decrypt the source. 
In this case, it is equivalent to that there is a rate-limited 
helper (i.e., a henchman) who can access all information 
about source (source S'" and the encrypted message M). As 
depicted in Eig. 2, by applying an I- length of superblock 
code (each subblock with n symbols), the wiretapper receives 
nlRn bits of side information from a henchman who has 
access to the source sequence S"^ and the public message 
MK Since the wiretapper and henchman cooperate, this means 
that the wiretapper effectively receives the best possible nlRn 
bits of side information about the pair to assist in 

producing a reconstruction sequence Z"*. 

Definition 2. The {1 ,Rh) Henchman code (Hcode) of a 
{n, R, Rk) block code is a superblock defined by the following 
two mappings: 

Encoder fn : 5 "' x [ 2 "'«] ^ [ 2 "'^"] 

Decoder gn : [2"'^"] x [2"'^] ^ Z"' 

The encoder and decoder of Hcode can be stochastic. 

Eor any (n, R, Rk) block code, we define security rate to 
measure its secrecy. 

Definition 3. For an {n, R, Rk) block code adopted by A and 
B, and a given decryption distortion level De, Henchman rate 
Rh of the {n, R, Rk) block code is said to be secure if for 
Ve > 0, the following inequality holds. In this case, Rh is 
said to be a secure Henchman rate or security rate. 

limsup max P [d (S'"', Z"') < £»e] < e (4) 
{I, R'e) Hcodes 
R'h < Rh — e 
























From Definition 3, we have that if the wiretapper receives 
any additional message with rate < security rate, then it 
cannot reconstruct the source within target distortion level with 
probability> e for any e > 0. Security rate also denotes the 
infimum of the additional rate needed to reconstruct the source 
within target distortion level with probability> e for any e > 0 
for wiretapper. 

To keep the transmission as secret as possible from Eve, A 
and B should maximize security rate or minimize decryption 
probability in (4). 

Definition 4. The tuple {R, Rk, Rh, De) is achievable for 
distortion measure d if for Ve > 0, as well as sujficiently 


large n, there exists an (n, R 

^ R'k) 

code satisfying 



VI 

Rk + e 

(5) 


R 

< 

R-\- e 

( 6 ) 

P 

gn ^ gn 

< 

e 

(7) 


Rh (De 

> 

Rh — e 

( 8 ) 


Inequality ( 8 ) is equivalent to (4). 

Definition 5. Given R, Rk, and De, maximum security rate 
R*fj {R, Rk, De) is defined as the supremum of all Rh such 
that (R, Rk, Rh, De) is achievable. 

The wiretapper and henchman jointly design a code consist¬ 
ing of an encoder ran — fn and a decoder z"* = 

9h {tnH,^}), subject to the constraint \Mh\ < We 

assume that the henchman and the wiretapper are both aware 
of the scheme that Nodes A and B employ, but neither aware of 
the secret key. That is to say the fu ,gH {mH,rn’'^ 

may be designed based on the (n,R,RK) block code. 

Although we assume the excess distortion constraint con¬ 
straint of distortion for wiretapper here, from the proofs of 
our results, our results still hold if apply expected distortion 
constraint for wiretapper 

In addition, it is worth noting that based on the definitions 
above, maximum security rate is equivalent to the following 
definition. 

Definition 6 . For a (n, R, Rk) block code adopted by A and 
B, and for a given decryption distortion level De, distortion- 
based equivocation is defined as: 



Figure 3; The region in Theorem 1 for source Ps ~Bern(l/2) 
and distortion measure d{s, z) = l{s z}. 

wiretapper. Therefore, maximum Rde (De) is exactly equal 
to {R, Rk, De). This implies that maximum equivocation 
is equal to the maximum security rate of lossless decryption. 

III. Main Results 

The following theorem characterizes the admissible region 
for lossless communication among the communication rate, 
secret key rate, wiretapper distortion, and security rate. 

Theorem 1. Given a source distribution Ps and distortion 
measure d, the tuple (R, Rk, Rh, De) is achievable if and 
only if it holds that 

R >H{S), (10) 

Rh<^{Rk,De) ( 11 ) 

where 

T{Rk,De)= min {I - X)Rk + XR{D) 

(A, D) : 0 < A < 1, 

XD f: DE 

( 12 ) 

R (D) denotes rate-distortion function of source S with dis¬ 
tortion measure d (s, s), i.e., 

R{D)= min I {S-,V) ( 13 ') 


Rde{De)= min (9) 

p (n”|s", m) : 

Ed{S^,V'^) < De 

The distortion-based equivocation is exactly a direct exten¬ 
sion of equivocation to lossy decryption case. For maximum 
security rate in Definition 5 we restrict the code adopted by 
A and B to be stationary (independent of time), hence the 
outputs must be a stationary process. Then by source 
coding theorem, Rde (De) is the minimum additional rate to 
decrypt source with any positive probability for henchman and 

^Assume the distortion function is upper bounded. 


The function (12) is exactly the rate-distortion tradeoff of 
the timesharing between the points (0,Rk) and {D,R{D)). 
Note that the region of Theorem 1 is different from that in 
Theorem 1 of [ 6 ], which is the singleblock coding version of 
Henchman problem. More precisely, the region of Theorem 
1 is the convex hull of that in Theorem 1 of [ 6 ] in Rh and 
De dimensions. This is because the timesharing is feasible for 
superblock coding, but not feasible for singleblock coding. It 
also implies that timesharing is one of the optimal strategies 
to achieve the optimal Rh and De tradeoff. Fig. 3 illustrates 
Theorem 1 for a Bern(l/2) source and Hamming distortion; 
the communication rate is assumed to satisfy R > H{S), and 
they have no effect on the (Rk, Rh, De) tradeoff. In Fig. 3, 






for given Rk and Rjj, the distortion region below the surface 
is not achievable for wiretapper with probability 1 ; while the 
distortion region above the surface is achievable for wiretapper 
with probability 1 . 

We can readily establish the following corollaries to Theo¬ 
rem 1 . 

Corollary 1. Given a source distribution Ps and distortion 
measure d, for all R > H (S), 

R*H{R,RK,DE)=TiRK.DE) (14) 

From the fact maximum Rde{De) is equal to 
R*e {R, Rk, De), we have the following corollary. 

Corollary 2. Given R > H (S) and Rk, maximum 
Rde {De) equals the R'^ {R^ Rk, De), i-e., they satisfy 


Nodes A and B use, Node B can always use the rate-i?^ key 
to identify the correct decryption of M (with probability 1), 
hence the number of possible decryptions of M is at most 
2”^^. This means that it is possible for the wiretapper to 
produce a lossless reconstruction (with probability 1 ) with 
henchman rate Rh- On the other hand, if Re > R{De), 
then the henchman and the wiretapper can simply use a point- 
to-point rate-distortion code (ignore M altogether) to describe 
within distortion De (with probability 1 ), no matter what 
scheme Nodes A and B use. In addition, by applying time¬ 
sharing, the the henchman and the wiretapper are able to 
achieve any distortion-rate pair on or above the convex hull 
of {D, min {Rk, R (O)}). Hence, to prevent wiretapper from 
achieving that, the inequality(l 1 ) holds. 

V. Achievability of Theorem 1 


limsup max Rde{De) 

n-^oo [n,R',R' e) codes 

R' R, R'k — Rk 

=R*h{R,Rk,De) (15) 

=V{Rk,De) (16) 

In addition, for lossless reconstruction at wiretapper, 
observe that limsup max ^ ^^es {S-\M) 

R! < i?, 

equals Im sup max Rde (0) with Ham- 

R' < R, R'k Rk 

ming distortion measure, hence by Corollary 2 the maximum 
equivocation is indeed equal to the maximum security rate. 

Corollary 3. Given R > H (S) and Rk, maximum equivo¬ 
cation equals the R^ {R, Rk, De = 0), with Hamming dis¬ 
tortion measure and also equals F {Rk,De = 0). 

Note that when setting d (s, s) = 1 {s ^ s} in the region of 
Corollary 3, corresponds to requiring a lossless reconstruction 
at wiretapper, which was Shannon’s original formulation of 
the problem in [1]. In this case, we see that the tuple 
{R, Rk, Rh, De = 0) is achievable if and only if 


R>H{S) (17) 

limsup max Rde (0) = e[mi{RK, H (S)} 

{n, R', R'e) codes 
R' < R, R'e Rk 

(18) 


This implies the Shannon’s results [1], i.e., the perfect secrecy 
(equivocation equals H (S)) is achievable if and only if Rk > 
H{S). 

We now prove the achievability and converse parts of 
Theorems 1. 


IV. Converse oe Theorem 1 

The constraint R > H{S) follows from the lossless source 
coding theorem. If Rh > Rk, then the henchman can send 
the index of possible decryptions of M. For any scheme that 


To prove the achievability, we only need to prove that if 
(10) and (11) hold, then there exists a code (adopted by A 
and B) making (4) hold. It means that the henchman observes 
the pair and encodes a message Mh, and the 

wiretapper observes {M\ Mh) and decodes Z”*; their goal is 
to minimize the distortion d ^"*). This is just the usual 
rate-distortion setting with side information available at 
both encoder and decoder. We will prove that if the Node A 
and B use the following coding scheme to encode and decode 
the source sequence, then (4) holds. 

Generation of codebooks: First, randomly generate a code¬ 
book Cs consisting of 2 ”^ sequences S'” drawn i.i.d. ^ 
Ps {si). Then divide all the codewords into bins of size 
2 nRK. Index bins by jp G and denote them as 

Cs {jp)- Also index codewords of each bin by js G [2”'^^]. 
The codebook as well as binning and indexing are known to 
everyone, including the adversaries (henchman and wiretap¬ 
per). 

Encoding at sender: Sender encode the sequence s" by j = 
{jp,js) if there exists an {jp,js) pair such that s” = s” {jp,js) 
in codebook Cs and s” {jp,js) S Tf (This is equivalent to find 
an {jp,js) pair such that (s”, s” {jp,js)) G Tf (^S, S^, where 
test channel Pg^s = 1 {s = s}). If there is more than one 
such index, randomly (uniformly) choose one among them. If 
there is no such index, randomly choose one index from [ 2 ”^]. 
Then the index within that bin, js, is one-time padded with the 
key sequence k. Denote the message to m = {jp,ms), where 
nis denotes the resulting message by one-time pad operation 
on js with k. 

Decoding at legitimate receiver: Using the key k, legitimate 
receiver achieves {jp,js) from the received m, and then it 
reproduces the sequence s" {jp,js)- 

By the standard proof on lossless source coding using joint 
typicality coding, we can readily establish that if R > H {S), 
then the legitimate receiver can reconstruct S'" with high prob¬ 
ability. Hence, we only need to prove that based on received 
M, with high probability it is impossible for wiretapper to 
achieve distortion less than De, if Rh satisfies ( 11 ). 


Theorem 2. Let t„ be any sequence that converges to zero 
sub-exponentially fast (i.e., r„ = If 

Rh<T{Rk.De) (19) 


then for Ve > 0, 

0 

( 20 ) 

where T (•) is defined in (12), and = (Mi, M 2 , • • • , Mi). 


lim Pcg lim sup Ejifi 

n-i-oo L 

max P [d(S'"',Z”') < ZJb] 

[I, R'u) Hcodes : 

R' < Rrj -f 


> Tn 


R'h ^ Rh — e 


The proof is given in Appendix B. 

Then by Theorem 2 we can establish the following corollary. 


Corollary 4. If Rh satisfies ( 11 ), then for Ve > 0 , 


lim Ecg 

n—foo 


lim sup Eiii-i 

l—fOO 


max P < ZJb] 

{I, R'u) Hcodes : 

R'h ^ Rh — e 


= 0 


( 21 ) 


The Corollary 4 implies ( 11 ) of Theorem 1 . Hence the proof 
is completed. 


VI. Causal Encryption System 

Here we consider a more general secrecy system, “causal 
encryption system”. Consider the secrecy communication sys¬ 
tem in Fig. 1, where the key is delivered at rate Rk, and 
the sender can not only use the current key but also all 
past keys to code the current block. We assume that the 
wiretapper has no decryption-delay constraint, hence it can 
do decryption after receving all transmitted blocks (assume 
total number is L). Besides, since the sender could adopt 
such an adaptive encryption scheme (amount of key could be 
different for different blocks), we assume the henchman and 
the wiretapper could also arrange any I transmitted blocks to 
form a superblock. 

Let the sender only use the current key, then this kind 
of general secrecy system is degenerated into the system 
described in Section II. By using the same compression and 
encryption scheme in Section V, the sender and the receiver 
could achieve the same secrecy performance. Hence for causal 
encryption system, the achievablity of Theorem 1 still holds. 
In addition, for the first (1 — A) L blocks, the henchman can 
use rate-i?if henchman code to help the wiretapper produce 
a lossless reconstruction (with probability 1 ), and for the last 
XL blocks, the henchman can use rate-i? (De) henchman code 
to help the wiretapper produce a reconstruction of S'^ within 
distortion De (with probability 1). Hence, the average hench¬ 
man rate is (1 — A) Rk + XR {De), and the average distortion 
is XDe- This means that the converse part of Theorem 1 still 
holds as well. Hence the achievable {R, Rk, Rh, De) for this 
case is also given by Theorem 1. 


VII. Conclusion 

In this paper, we introduce a new measure on secrecy, 
security rate, which is established based on rate-distortion 
theory, and denotes the minimum (infimum) of the additional 
rate needed to reconstract the source within target distortion 
level with any positive probability for wiretapper. We study it 
in Shannon cipher system with lossless communication, and 
characterize the admissible region of secret key rate, coding 
rate of the source, wiretapper distortion, and security rate 
(distortion-based equivocation). The single block version of 
henchman problem has been studied in [6] and [7]. In addition, 
by applying time-sharing decryption strategy, in the superblock 
version, the henchman and the wiretapper are able to achieve 
any distortion-rate pair on or above the convex hull of {D, Rh) 
of the single block version. Moreover, we prove that such 
time-sharing decryption strategy is optimal. In addition, since 
the security rate equals the distortion-based equivocation, 

min T/(S'”; V"|M), and the equivoca- 

p{v^\s^,m)-.Ed{S^,V^)<DE ” 

tion is a special case of the distortion-based equivocation (with 
Hamming distortion measure and De = 0), this gives an 
answer for the meaning of the maximum equivocation. 
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Appendix A 

Property of Distortion Set 

Proposition 1. (Property of Distortion Set): For any distortion 
measure d{s^,z^), if both |5| and \Z\ are finite, then the 
cardinality of D" = {d(s”,z") : s” G G Z”} is at 

most polynomial in n. 

Proof: Observe that the term d{s^,z'^) only depends on 
the joint type of and moreover the number of joint 

types is at most (n + 1) [10], which is polynomial in n. 

■ 

Appendix B 
Proof of Theorem 2 


Proof: We first define four envents 

€Cs}, 

max max 77cs,_D 


( 22 ) 




A2^{ ^ ^23) 

^ 2n([RK-R{D)A+<i) yjj g pn 

yf 3 =<| min 7 Cs (Jp) > (1 “ e) 2”-^^ ^ , (24) 

max fcs ('®") — 


A. = ^ 


min fcs ('S") ^ 2”!'^ '^1 [ ’ 


(25) 


s'^eT, 


Lemma 3. For any e > 0 and small enough S, P^g [ 7 I 4 J —> 0, 
as n ^ 00 . 

The proofs of Lemmas 1, 2 and 3 are given in Appendixes 
C, D and E, respectively. 

In addition, denote 


Q A I Ij if Node A encodes ith subblock successfully 
10, otherwise 

(31) 

Observe that Node A encodes jth subblock successfully, if and 
only if Ai happens; otherwise, randomly choose J. Therefore, 


It;: 


where A = A 2 A 3 A 4 - 

Lemma 4. For any 5 > 0, if R > FI (S) + e, then 
Ps. [:4r|Cs,^] —)■ 0, as n —>■ 00. 

The proof of Lemma 4 is given in Appendix F. 

In the following, we denote Cn = Ps" pi |Cs, A ]. Observe 
that <5^ is a sequence of i.i.d. random variables. Define 


where 


riCs,D{z^,Jp)= E Md{S-Up,Js),zn<D,S-{jp,js)e 

js^l ^ 

(26) 

D" 4 {d(s", z") : s” G 5”, z" G Z^} (27) 

7cg(jp)= E (28) 

E 1{5"(7) = s"} (29) 

jG[2"«] 

Obviously the events 7l2,,A3,7l4 are only about Cs, while the 
event Ai is about S'” and Cs- The 5-typical set is defined 
according to the notion of strong typicality, see [II]: 

Ts^iS) ^ {s” G S” : |Tg„ - PsI < SPs}, (30) 

where Ts^ denotes the empirical distribution of s" (i.e., the 
type of s”). 

Next we will prove that any codebook Cs that makes the 
events A 2 , A 3 , A 4 hold will also make the wiretapper decrypt 
the source with vanish probability. First, by method of types, 
we can prove the Lemmas 1-3. 

Lemma 1. For any e > 0 and small enough S, Pcg P 2 ] 0, 

as n ^ 00 . 

Lemma 2. For any e > 0 and small enough 5, Pcg pa] —> 0, 
as n ^ 00 . 


V 


A = {Q'eri(g)}, 


(33) 


then by the property of typicality we have the following 
lemma. 

Lemma 5. For any 5 > 0, Pgi psICsjTl] 0 , as I ^ 00 . 

We add to the side information at both henchman and 
wiretapper. Obviously, this will not decrease the decryption 
performance of henchman and wiretapper. Therefore, to prove 
Theorem 2, we only need to show 


lim Pcg limsupEjvriQi 

n-i-oo L 

max P[d (S”', Z”') < De] > 


= 0 


I.e., 


lim Pcg 


lim supE^jigi 


l—foo 


max P \d < De\M^Q^Cs] |Cs 

Hcode^Hin , 


> Tr, 


where Hcodes denote the henchman codes with side informa¬ 
tion at both henchman and wiretapper. 








First restrict the Cs to satisfy A by utilizing Lemmas 1-3. 


Pc. 


lim sup Em'q' 


min < De\M^Q'A 5 ACs 

Lz"'GCz(Cs,M'Q') 


max P[d(S^\Z^^) < De]> 
Hcode^Hi^Rn-. ^ ' 


(a) 

< 


<PCs 


lim sup E^iQi 
*- 1^00 


E 

z"'6Cz(Cs,M'Q') 

^qtlIRh 


d{S^‘,z^^) < DeIM^Q'AzACs 


( 36 ) 


max J 
z'^'-ec,iCs,M‘Q‘) 


d{S^\z^^) < DE\A'rQ'A5ACs 


max F[d (5"', Z”') < De] > Tn\A 

HcodeG'Hl.ii„-c 


<Pc. 


lim sup E^iQi 


max F[d (S'"', Z"') < De] > tAA 

HcodeeHi,R„., ' ^ ^ 


■Pc, [-4] 


Cn (34) 


<2"'^« max ] 


( 6 ) 

< 


d(S"',z"') < D£;|M'Q‘.45-4 Cs 

t 


(37) 

(38) 


2 "'«« max P[y d{S^{J,),z^) < IDe\M‘qU 5 ACs 
Znl^Z^^ [•“ 


2=1 


(39) 


where = {{1,R'h) Hcode : R'r < Rh - e}- 

We also restrict the Q' to satisfy A 5 by utilizing Lemma 5. 


t 

=2"'«« max F\'yd{S^{J^),z^)<lDE\Q* = l,M\A,Cs 

(40) 


2=1 


lim sup E^vfiQi 


l—^oo 


= 2 "'^" max y PP [Ji = JjIQj = l,Mi = TOi,y4.,Cs] 


max 

Hcode^T-Li^Rff-t 


P [d (S"', Z"') < TdfilM'QUCs] |y^Cs 
< lim sup E^iQi 


fi,-" Jt i=l 

1 


(41) 


. 2=1 


I —^00 


max 

HcodeG'Hi^R^-^ 

lr\l 


P [d < DeIM^QU^ACs] \AzACs 

-flimsupPgi [^sl^Cs] 

I —>00 


where step (a) is a union bound, and step (b) fol¬ 
lows from that 1 ) by definition of typicality, the num¬ 
ber of ” 1 ” in Q' is at least Z (1 — d) (1 — e„), and t = 

— (5) (1 — e„), 2 ) without loss of generalization we as¬ 
sume Qi = 1,1 < i < L Now we derive the probability 
P[di = ji\Qt = l,Mi = rrii]. For different i, {Ji,Mi,Qi) is 
i.i.d., hence for simplicity, we use P [J = j\Q = 1, M = m] to 
denote P [J^ = ji\Qi = 1, Mi = m^]. Moreover, for simplicity, 
we also omit condition A, Cs for each probability expression. 
First we have 

, P[S" = s",J = j,Q = l,M = m] 

We can consider all possible sequences z given 

(Cs, M'Q') as a codebook. Since the wiretapper only receives ^ = j, M = m, £ Tg^, e Cs] (42) 

Rh rate message from the henchman, possible sequences z"' =P [S'" = s", S" € 7}", S" G Cs] 


= lim sup E^igi 


l—>-oo 


max 

HcodeG'Hi^R^_^ 


P [d(S"',Z"') < DeIM^Q^A^ACs] \A 5 ACs 


given (Cs, M^Q^) produced by it is not more than 2 "'^". Then 
a Flcode could be seen as the combination of a codebook (with 
size 2 "'^"^) of z" sequences and an encoder that is designed 
based on that codebook. Hence we can write 


max P[d(S"', Z"‘) < DislM'Q'A^lCs] 

HcodeeGLi^Rfr-e 


X P [J = j|S" = s", S" e Ts", S" e Cs] P [M = m| J = j]. 

(43) 

For first term of 43, we have 

P [S" = s", S" e r^", S" e Cs] 

=P [S" = s"] 1 {s" e r^", s" G Cs} (44) 

and 


min d(S"',z"') < DbIM'QUsx^Cs 


(35) ( 45 ) 

where (45) is the property of typicality [11]. For other terms 
where the notation Cz(Cs, AL'Q') emphasizes that Cz is a of 43, we have 

function of the random codebook Cs and public messages p jj _ _ gU. 5 '" g 7 “" 

(Cs,M'Q'). Then by using a union bound, we can write the , ’ 

\9-n(fi-rr(S)+£)i fQn(j\ _ „nx 

right-hand side of (35) as —^ (7) ^ | 


( 46 ) 


























where /i 


1 


and 


EjG[2"«] Es-gS" P [S'” = S”, J = j, Q = 1, M = to] 


<- 


Es^gS" {s” e r^”, s" G Cs} ... 


T,g[ 2 "H] Es»g 5 " 2-”(«(S)+^)1{s” G r,”,s" G Cs}... 

2-^(R-H(S)-e)i^gn Q.) ^ s"}2-”-«^l{TOp = jp} 


< 


< 


< 


2-n(fl-ff(S)+e)l {5'n (j) = s"}2-"«^l{mp = jp} 

2»4n IS” Qj G r,”, S” (jj G Csi 1 {TOp = Jp} 

■ EjG[ 2 "«] 1 O') € V, S” (j) G Cs} 1 {TOp = jp} 

2 " 4 n{S” 0 )Gr,"}i{TOp = jp} 

EjG[2"«] 1 {*5” 0) G E”} 1 {"^P = jp} 

2”4n IS” (jj G r,”} 1 (TOp = Jp} 

Ej,g[2"«x] 1 {'5'" (Wp, js) € 77"} 

2 ” 4 n{S” (j)Gr,”}i{TOp = jp} 


(1 -e) 2"«^f 

where (54) follows from the condition Cs satisfying As- 
Combining (41) and (54), we have 


min fi(S”', z”0 < De\M^Q^A5ACs 

Lz"'gc,(Cs.M'Q') 


y : niis " K „ j,OGrn 


t 


,js,t 7 = 1 

l{J2d{S'^{mp,^,Js,^),z:)<lDE} 




2 nRK 2 '^^K 

<a max > > • • • > 


E 


(l-e) 


— 4e) 


p [j = j|5” = s”, S” G Ts", S” G Cs] 

^2-n(fi-rr(S)-e) ^ l^-n (j.) ^ gn| (47) 


'[M = to1J = j] =2-”^-l{TOp= jp} (48) 


? 7 j = max max 


(59) 


2"«K 


where (46) and (47) follow from the encoding process and the 
condition Cs satisfying A 4 . 

Therefore, 

P [J = jjM = TO, Q = 1] 

E.»g 5" P = s", 7 = J, Q = 1, M = to] 


(49) 


^ i{d(s”(TOp.„jj,o,^*E < A,s”(TOp,„j«,o G r^”} 

fs,i = l 

(60) 

and step (a) follows from that the number of the distortion 
incurred by n length block is at most polynomial in n, see 
Appendix A. 

Combining (34), (35), and (58), we have 

(61) (at top of the next page), where fi 2 = 

(X _ g)‘ 2 "*(^^“ 4 e)-nmH- 0 (Zlogn)^ 

Therefore, we only need to prove when Cs = c make A 2 
hold, then there exists a large enough n (not dependent on 1) 
that makes the following hold for any 1. 


max T]ir ]2 • ■ • ?7t < /r 2 (63) 

Di,D 2,---■Df-T.Ui DiKlDs 


(50) Assume ,42 holds, then we have 


(51) 

(52) 

(53) 

(54) 


max 771772 ■ ■■Vt 

Di,D2,- .£>t:ELi d,<iDe 

t 


< 


max 


Di,D 2, - ,Dr.Y:UiDi<lD, 

Hence we only need show 




7=1 


(55) 


ja,1 = 1 is,2 = 1 js,t = l Di,D 2 , - ,Dt-T,l=l Di<lDE 

t 

ni{7(S”(TOp,„7,,,),0 = A,S”(TOp,„jj,,) G m 

i^l 

(56) 

<M YZ dim ■■■Tit (57) 

Di,D 2 ,- ,Df-Y.UiD,<lDE 

(^)^2G0i°g") max mm^^^Vt (58) 

Di.Da, .. ,Df.Y:Ui Di<lDE 


max TT 2"([«^f--R(437)]++4 < (55) 

Di,D 2,- .Df-YlUi Di<lDE El 

Assume there are b of Di such that Rk > R{Di) in t 
subblocks, and A = |. Then we have 


max TT 2”([«7f-fl(£>.)]++4 

Di,D 2,- ,Dt.Y:Ai D^<IDe El 

< max 

X,Di,D 2, - ,Dxt.Y:jli Di<lDE 

( 66 ) 

< max (57) 

\,D-.\tD<lDE 

_ 2tne+max;,_£,.;,t£,<iDg [Ain(flif-fl(D))] (gg) 

For sufficiently n, all subexponential terms in p 2 can be 
omitted, hence we only need show 

2tne+maxx^D:Xtn<lnEl^Tn(RK-R{D))] ^ 2^T(Rk- iel-nlRn 


i.e.. 


Rh<j 

t 

^ J 


t (Rk — 4e) —te— max [Af {Rk — R{D))] 
X^D’.XtD'^lD E 


—5e + min [(1 — A) + Ai?(I?)] 

\,D-.\D<}De 


(69) 
















• Cs 


limsupE^./ig' max F[d{S'^, 

^ l—¥oo Hcode^l-Li^n^ — e. 


<^Cs 
<Pcs 
= Pc. 


lim sup Em'q' 

l—^OO 


lim supE^iQi 

^ l—>-oo 


max 


c^iCsM^Q^) 1-2^^gcz(Cs,M^Q0 

mV2 ■ ■■rjtlAzACs 

+ En 


max 


Di,D 2,--,Dt:J2Ui Di<lD 


min __ (i(S'”',z"') < DbIM'qUs^Cs \A5ACs 

> M21-4 + e„ 


> Tn\A 


+ En 


lim sup max 771772 ■ ■ - rit > /i2|-4 

- /—fcjo Di,D 2,--- Di<lDE 


(61) 


For small enough 5, e and large enough n, we have 
t 


— (1 — i5) (1 — e„) —>■ 1 


Then (69) becomes 


Rh < min [(1 — A) i?_R-+ Ai?(i 9 )l 
\,D:\D<De 

This is just the condition of Theorem (2). Hence the achiev- 
ability of Theorem 2 holds. ■ 

Appendix C 
Proof of Lemma 1 

Proof: According to definition of AI 2 , 

Pc. [:4^] 

max max r]Cs,D iz^Jp) 

=PC. 

^ 2n(lRK-R{D)] + +e'j g jyn 

< |2:n|2"(fl-«K)+0(logn) 

■DS'D" z^eZ"- 


Pc. 


VCs,D (z",jp) 


Vz^,Cs{jp) — 12js=i ^ipjs.z"- Given jp and z", ,js € 

[2"^*^] are i.i.d. random variables, with mean 

Ec.Op.j.,." =f‘{diS^,z^) <De,S^ gT^} (73) 

If we can show that the probability in (72) decays doubly 
exponentially fast with n, then the proof will be complete. To 
that end, we first introduce the following lemmas. 

Lemma 6. [6], [7] If is i.i.d. according to Ps, then for 
any z”, 

P[d(5'”, z”) <D,S^ G Ts^] < (74) 

where R{D)is the point-to-point rate-distortion function for 
Ps , and 0 ( 1 ) is a term that vanishes as 6 ^ 0 and ri —>■ 00 . 


Lemma 7. [6], [7] If X'^ is a sequence of i.i.d. Bern{p) 
random variables, then 


>fc' 

i=l 


^ ^ emp ^ ^ 


From Lemma 6, we see that 


Ec.e.p.,,,." < 2-AMD)-oi,i)) 


(75) 


(76) 


Using the bound on E[^jp we can apply Lemma 7 to 

the probability in (72) by identifying 

m = 2”-«^ 

p < ‘ 2 ~AR{d)—o(i)) ill) 

k = 2^iAK-R(D)] + +e) ^ 


(70) 

(71) 

(72) 


This gives 


E ^Op,Js,z 


> 


2n([Rif-i?(D)] + +£) 


i=i 


< 2 


-na2"'^ 


where 


a=[RK- R{D)]'^ - {Rk - RiD)) + € - o(l) 
( 3 =[Rk- R{D)]+ + e. 


(78) 


(79) 


where (72) follows from a union bound and the fact |I?"| 
is polynomial in n, see Appendix A. Define Cip.ia.z" = 

l\d{S^{jp,js),z^) < D,S^UpAs) € r,4, then 


For any fixed e and large enough n, both a and /3 are 
positive and bounded away from zero, and (78) vanishes 
doubly exponentially fast. Consequently, the expression in (72) 
vanishes, completing the proof of Lemma 1. ■ 

Appendix D 
Proof of Lemma 2 


Proof: According to definition of A^, 

Pc. [( 43 ] 


(80) 

(81) 


2pe[2"(«-«ic)] 

(82) 

Define Cip.M = 1 {5" (jp, j.) e T/"}, then ycsUp) = 

Op.j,- Given jp , G [2"^^] are i.i.d. random 

variables, with mean 

























®C.Cjp ,js 

(83) 

= P{S" (j)ern 

(84) 

> 1-62 

(85) 


where (85) holds for any £2 > 0 and sufficiently large n, and 
it follows from the typicality property. If we can show that the 
probability in (82) decays doubly exponentially fast with n, 
then the proof will be complete. To that end, we first introduce 
the following lemma on Chernoff bound. 


Lemma 8. [12] If is a sequence ofi.i.d. Bern{p) random 
variables, then 


< (1 — 5)mp 

i=l 


< e-< 5 < 1. 


By indentifying that 


( 86 ) 


where £2 (i5) tends to zero as (5 —> 0, and (97) follows from the 
typicality property [11]. If we can show that the probability in 
(94) decays doubly exponentially fast with n, then the proof 
will be complete. 

By indentifying that 



m = 2"-« 


(98) 


p < 2~AHiS)-e2iS)) 

(99) 


k = 2AR-H{S)+e) 

(100) 

and applying Lemma 7, we have 



Pc. 

fcs (s”) > 


(101) 

where 

a = £ - £2 (^) 

/3 = i? - 77 (S) + £. 

(102) 


m = 2"-^^ 

(87) 

p > 1 - £2 

(88) 

c- 1 — e 


^> 1 - -— 

1 - £2 

(89) 


and applying Lemma 8, we have 

Pc. {7c.0,)<(l-c)2"^-}<e- 


< e 


-^( 1 -^ 2 ) 

2 

(90) 


For fixed £, if 5 is small enough and n is large enough, then 
£2 < £ and £2 < 1, which means that (5 > 0 and 1 — £2 > 0. 
Hence (90) vanishes doubly exponentially fast. This completes 
the proof of Lemma 2. ■ 


For fixed £, if n is large enough and 5 is small enough, 
then £2 (<5) < £, which means that a > 0 and /3 > 0. Hence 
(101) vanishes doubly exponentially fast. This means that (94) 
holds. 

In the same way, by utilizing Lemma 8, we can prove that 
for small enough 5, as n ^ 00 , 


^Cs 


min (j>Cs (®") < 2"*^^ 


^ 0 


Therefore, this completes the proof of Lemma 3. 


Appendix F 
Proof of Lemma 4 


(103) 


Appendix E Proof: According to definition of Ai, we have 



Proof of Lemma 3 


PsM^ijCs,^] 

(104) 

Proof: According to definition of A4, 


= Ps" [S^ gTs^,S^ gCs\Cs,A] 

(105) 

Pc. p4 

max (pCc: (s") > 

(91) 

= Ps" [S" e 7;"|Cs,^] Ps" [S” G CsjS" 

(^Ts^,Cs,A] 

(106) 

= Pc. 

or min fcs (s") < 
s-GT/* 

(92) 

= Ps" [S^€Tr\Cs,A] 

= Ps" [S" G 77 *] 

(107) 

(108) 


<Pc. 


max fcs (s”) > 


+ Pc. 


min fcs (s") < 2"(^ 


where (108) follows from that if R> H (5') + £, S'" S 7^" and 
Cs satisfying A^, then S" S Cg. In addition, by law of large 
numbers, we have Psn [S" S 77*] —>■ 1 as n — >■ 00 [11]. ■ 


In the following, we prove that both terms of (93) vanish as 

n —>■ 00 . 


^Cs 


max fcs (®") > 2"*^^ HiS)+<L) 
s’^eTp 


< \Ts"\ max Pc. fcs (s”) > 
s"Gr^" L 


(94) 


Define Cj.s" — 1 {'5'” (j) = s"}. then ^c. (s”) = 

Given s" S T/* , € [2"'«] are i.i.d. 

random variables, with mean 


Pc.O.s" 

= P{S" (j) = s'*} 

^ 2-n{H{S)-e2{S)) 


(95) 

(96) 

(97) 



















